PKI based e-signatures necessary?

Hello Forum,

For closed systems, is e-signature based on user authorization in the system (ID, password) sufficient to satisfy 21 CFR Part 11, or are PKI based signatures necessary? Or strongly recommended good practice?

I am referring specifically to the ability of external parties who are provided (limited) access to an eTMF system (which, I believe is a closed system as we control access and content - correct me if I am wrong) to e-sign submission documents. One of our biggest challenges to date has been how to allow CROs, Investigator's to e-sign documents without having to deal with the costly and complicated PKI certification process. A big can of worms, I know...

My understanding of 21 CFR Part 11 and related guidance is that an advanced signature such as PKI-based signatures is not mandatory to be compliant. However, implementation of a user authorization approach presents some challenges, most notably how to (a) create a permanent link between the authorization/signature and the document to which it relates that remains throughout its retention period and (b) how the authorization/signature is physically surfaced on the document so that a reader is aware that a signature exists and can see the content of the signature.

A simple e-signature, based on user authentication, is the most commonly implemented approach in systems that utilize electronic workflow, such as Sharepoint. These are great for capturing the review and approval of documents. Systems can easily be designed so that the status of the document is apparent and the audit trail can be viewed so that a user can see who reviewed and approved the document. The compliance issue however is how to embed that information into the document in a way that allows interoperability and migration of documents over time. I have seen systems that automatically create a "signature page" based on the audit trail information that then becomes an intrinsic part of the document itself. This complies with the 21CFR11 requirement for a human-readable signature.